Two Years After Snowden: Protecting Human Rights in an Age of Mass Surveillance
Total Page:16
File Type:pdf, Size:1020Kb
Two years after Snowden: protecting human rights in an age of mass surveillance Executive summary “The hard truth is that the use of mass surveillance technology effectively does away with the right to privacy of communications on the Internet altogether.” Ben Emmerson QC, UN Special Rapporteur on counter-terrorism and human rights On 5 June 2013, a British newspaper, The Guardian, published the first in a series of revelations about indiscriminate mass surveillance by the USA’s National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ). Edward Snowden, a whistleblower who had worked with the NSA, provided concrete evidence of global communications surveillance programmes that monitor the internet and phone activity of hundreds of millions of people across the world. Governments can have legitimate reasons for using communications surveillance, for example to combat crime or protect national security. However because surveillance interferes with the rights to privacy and freedom of expression, it must be done in accordance with strict criteria: surveillance must be targeted, based on reasonable suspicion, undertaken in accordance with the law, necessary to meet a legitimate aim and be conducted in a manner that is proportionate to that aim, and non-discriminatory. This means that mass surveillance that indiscriminately collects the communications of large numbers of people cannot be justified. Mass surveillance violates both the right to privacy and to freedom of expression. This briefing presents an overview of the information that has come to light in the past two years about mass surveillance programmes run by the UK, US and other governments, as well as the key legal, policy and technological developments relating to mass surveillance and the right to privacy during this period. In this briefing, Amnesty International and Privacy International also present a 7-point plan of action to guarantee the protection of human rights in the digital age. In the past two years, we have learned the extent of mass surveillance programmes operated chiefly by the NSA and GCHQ, with the close cooperation of their sister agencies in Australia, Canada and New Zealand - collectively known as the Five Eyes Alliance (or ‘Five Eyes’). The revelations, which have been exposed by the media based on files leaked by Edward Snowden have included evidence that: Companies - including Facebook, Google and Microsoft - were forced to handover their customers’ data under secret orders through the NSA’s Prism programme; the NSA recorded, stored and analysed metadata related to every single telephone call and text message transmitted in Mexico, Kenya, and the Philippines; GCHQ and the NSA have co-opted some of the world's largest telecommunications companies to tap the transatlantic undersea cables and intercept the private communications they carry, under their respective TEMPORA and Upstream programmes; GCHQ and NSA hacked into the internal computer network of Gemalto, the largest manufacturer of SIM cards in the world, possibly stealing billions of encryption keys used to protect the privacy of mobile phone communications around the world. Public opposition has grown globally. A poll commissioned by Amnesty International, which questioned 15,000 people from 13 countries across every continent, found that 71 per cent of people are strongly opposed to their governments spying on their internet and phone communications. International and regional institutions and experts, including the UN High Commissioner for Human Rights and the Parliamentary Assembly of the Council of Europe, have expressed significant concerns about mass surveillance programmes and warned about the danger they pose to human rights. In December 2014, the UN General Assembly adopted a second resolution on the right to privacy in the digital age, where it expressed deep concern “at the negative impact that surveillance and/or interception of communications...in particular when carried out on a mass scale, may have on the exercise and enjoyment of human rights.”7 In March 2015, the UN Human Rights Council established for the first time a permanent mandate for a Special Rapporteur on the right to privacy, a historic move that will ensure privacy issues are at the forefront of the UN’s agenda for years to come. Courts in a number of countries ruled against mass surveillance and intelligence-sharing practices. In the United Kingdom, the Investigatory Powers Tribunal ruled that, prior to the Tribunal’s judgements handed down in December 2014 and February 2015, the regime governing the soliciting, receiving, storing and transmitting by UK authorities of private communications of individuals located in the UK, which have been obtained by US authorities pursuant to the Prism and Upstream programmes, contravened the European Convention on Human Rights. In the USA, a federal court of appeal ruled in May 2015 that the mass collection of US phone records was illegal. Many of the world’s largest technology companies have also spoken out against mass surveillance. In 2013, ten companies –including Apple, Facebook, Google, Microsoft, Twitter and Yahoo! – launched the Reform Global Government Surveillance Coalition, advocating for an end to bulk collection practices under the USA Patriot Act, among other legal reforms. Several major companies took more tangible steps against surveillance, increasing the default security and encryption provided to users on their platforms and services, better protecting the privacy of internet users against indiscriminate mass surveillance. There are also signs of limited legal reforms. For example, the USA Freedom Act, which was passed by the House of Representatives in May, attempts to end government bulk collection of US phone records.1 However, the law would also require companies to hold, search, and analyse certain data at the request of the government, arguably expanding the statutory basis for large-scale data collection rather than ending it. Additionally, many other aspects of US surveillance remain under-regulated and unaccountable under the new law – including the mass surveillance of millions of people outside of the US. Pressure is needed to ensure that governments dismantle these extraordinarily invasive surveillance systems at home and abroad. A first step in this regard is to recognise that privacy rights are owed equally to persons abroad as to those present in one’s own country. Companies have a responsibility to respect the right to privacy online. To live up to this responsibility they should take far bolder steps to increase security on their platforms and services, so that private user data is not made freely available for harvesting by governments. There is a rising tide of opinion against mass surveillance, but much remains at stake. Governments globally have enacted new laws granting mass surveillance powers of their own. This year has seen sweeping new surveillance powers introduced in Pakistan and France, while Denmark, Switzerland, the Netherlands and UK are set to present new intelligence bills in the near future. Preserving privacy, and ultimately freedom of expression, will require concerted action by individuals, technologists, legal experts, civil society, international organizations, companies and governments. No single solution is sufficient; rather a combination of domestic legal reforms, strong international standards, robust privacy protecting technologies, corporate commitment to user privacy and individual action is needed. 1 Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015 (USA FREEDOM Act of 2015), H.R.— 114th Congress (2015-2016). Mass surveillance of internet and phone communications: what we learned about US and UK programmes We now know, through the Snowden revelations, that the US and UK intelligence agencies have been operating indiscriminate mass surveillance programmes on a global scale, enabling the interception of a large proportion of the world’s Internet traffic as well as the phone communications of hundreds of millions of people. These capabilities are coupled with vast intelligence-sharing practices between members of the Five Eyes Alliance, as well as with a web of intelligence agencies in dozens of countries around the world.2 These are some of the programmes run by the NSA and GCHQ that have been revealed since 2013. [text box starts] Note on information about US and UK surveillance practices: The vast majority of information on mass surveillance practices by the USA and the UK in the public domain is based on documents leaked by whistleblower and former NSA analyst Edward Snowden. Documents leaked contain internal NSA and GCHQ documents. Some of the disclosures also include information about surveillance activities by other countries. Revelations about these mass surveillance practices have been published by various news organizations in several countries. The US government has confirmed the existence of some of the programmes exposed by the revelations, such as the Prism programme, however the information in most of the revelations has not been confirmed – or denied by either the US or the UK governments. In the absence of rejection by the USA or the UK of information contained in these leaks, and the fact that the authenticity of the documents leaked by Edward Snowden has not been disputed by either of the countries, information about mass surveillance programmes from these leaks is assumed to be correct.